unit tests coverage

Coverage report

%line %branch

org.apache.jetspeed.security.impl.AbstractSecurityValve$1
0%

0%

1
/*

2
* Licensed to the Apache Software Foundation (ASF) under one or more

3
* contributor license agreements. See the NOTICE file distributed with

4
* this work for additional information regarding copyright ownership.

5
* The ASF licenses this file to You under the Apache License, Version 2.0

6
* (the "License"); you may not use this file except in compliance with

7
* the License. You may obtain a copy of the License at

8
*

9
* http://www.apache.org/licenses/LICENSE-2.0

10
*

11
* Unless required by applicable law or agreed to in writing, software

12
* distributed under the License is distributed on an "AS IS" BASIS,

13
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

14
* See the License for the specific language governing permissions and

15
* limitations under the License.

16
*/

17
package org.apache.jetspeed.security.impl;

18

19
import java.io.IOException;

20
import java.security.Principal;

21
import java.security.PrivilegedAction;

22

23
import javax.security.auth.Subject;

24
import javax.servlet.http.HttpSession;

25

26
import org.apache.jetspeed.PortalReservedParameters;

27
import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;

28
import org.apache.jetspeed.pipeline.PipelineException;

29
import org.apache.jetspeed.pipeline.valve.AbstractValve;

30
import org.apache.jetspeed.pipeline.valve.SecurityValve;

31
import org.apache.jetspeed.pipeline.valve.ValveContext;

32
import org.apache.jetspeed.request.RequestContext;

33
import org.apache.jetspeed.security.JSSubject;

34

35
/**

36
* 

37
* AbstractSecurityValve

38
* 

39
* 

40
*

41
* 

42
* @author <a href="mailto:weaver@apache.org">Scott T. Weaver</a>

43
* @version $Id: AbstractSecurityValve.java 544402 2007-06-05 06:20:00Z taylor $

44
*

45
*/

46
public abstract class AbstractSecurityValve extends AbstractValve implements SecurityValve

47
{

48
protected PortalAuthenticationConfiguration authenticationConfiguration = null;

49

50
/**

51
*

52
* 

53
* getSubject

54
* 

55
* Should build and return a <code>javax.security.Subject</code>

56
* @param request

57
* @return Subject

58
*/

59
protected abstract Subject getSubject(RequestContext request) throws Exception;

60

61
/**

62
*

63
* 

64
* getUserPrincipal

65
* 

66
* Should build and return a <code>java.security.Principal</code> that represents the user name

67
* the Subject returned from <code>getSubject()</code>

68
* @param request

69
* @return Principal

70
* @throws Exception

71
*/

72
protected abstract Principal getUserPrincipal(RequestContext request) throws Exception;

73

74
/**

75
*

76
* 

77
* getSubjectFromSession

78
* 

79
*

80
* @param request

81
* @return javax.security.Subject or <code>null</code> if there is no servlet session attribute defined

82
* for the key <code>org.apache.jetspeed.PortalReservedParameters.SESSION_KEY_SUBJECT</code>.

83
*/

84
protected final Subject getSubjectFromSession(RequestContext request) throws Exception

85
{

86
return (Subject) request.getRequest().getSession().getAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT);

87
}

88

89
/**

90
* 

91
* invoke

92
* 

93
*

94
* 

95
* Uses <code>getSubject()</code> to call <code>ValveContext.invokeNext()</code> via

96
* <code>JSSubjectdoAsPrivileged()</code>. This method also takes care of setting the value of

97
* the <code>RequestContext.subject</code> property and the session attribute

98
* <code>org.apache.jetspeed.PortalReservedParameters.SESSION_KEY_SUBJECT</code>

99
* 

100
*

101
* @see org.apache.jetspeed.pipeline.valve.Valve#invoke(org.apache.jetspeed.request.RequestContext, org.apache.jetspeed.pipeline.valve.ValveContext)

102
* @param request

103
* @param context

104
* @throws PipelineException if the is an error encountered during any security operations.

105
*/

106
public void invoke( RequestContext request, ValveContext context ) throws PipelineException

107
{

108
if (isSessionExpired(request))

109
{

110
return; // short circuit processing and redirect

111
}

112

113
// initialize/validate security subject

114
Subject subject;

115
try

116
{

117
subject = getSubject(request);

118
}

119
catch (Exception e1)

120
{

121
throw new PipelineException(e1.getMessage(), e1);

122
}

123
request.getRequest().getSession().setAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT, subject);

124

125
// set request context subject

126
request.setSubject(subject);

127

128
// Pass control to the next Valve in the Pipeline and execute under

129
// the current subject

130
final ValveContext vc = context;

131
final RequestContext rc = request;

132
PipelineException pe = (PipelineException) JSSubject.doAsPrivileged(subject, new PrivilegedAction()

133
{

134 0
public Object run()

135
{

136
try

137
{

138 0
vc.invokeNext(rc);

139 0
return null;

140
}

141 0
catch (PipelineException e)

142
{

143 0
return e;

144
}

145
}

146
}, null);

147

148
if(pe != null)

149
{

150
throw pe;

151
}

152
}

153

154
/**

155
* Check for hard limit session expiration time out

156
*

157
* @param request

158
* @return

159
* @throws PipelineException

160
*/

161
protected boolean isSessionExpired(RequestContext request) throws PipelineException

162
{

163
if (authenticationConfiguration != null && authenticationConfiguration.isMaxSessionHardLimitEnabled())

164
{

165
HttpSession session = request.getRequest().getSession();

166
long sessionCreationTime = session.getCreationTime();

167
long currentTime = System.currentTimeMillis();

168
if ((currentTime - sessionCreationTime) > authenticationConfiguration.getMsMaxSessionHardLimit())

169
{

170
session.invalidate();

171
String redirector = request.getRequest().getContextPath() + authenticationConfiguration.getTimeoutRedirectLocation();

172
// System.out.println("logging user out " + redirector + ", " + (currentTime - sessionCreationTime) + ", " + this.msMaxSessionHardLimit);

173
try

174
{

175
request.getResponse().sendRedirect(redirector);

176
}

177
catch (IOException e)

178
{

179
throw new PipelineException(e);

180
}

181
return true;

182
}

183
else

184
{

185
// System.out.println("Not logging user out: " + (currentTime - sessionCreationTime) + ", " + this.msMaxSessionHardLimit);

186
}

187
}

188
return false;

189
}

190

191
}

This report is generated by jcoverage, Maven and Maven JCoverage Plugin.

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one or more
3		* contributor license agreements. See the NOTICE file distributed with
4		* this work for additional information regarding copyright ownership.
5		* The ASF licenses this file to You under the Apache License, Version 2.0
6		* (the "License"); you may not use this file except in compliance with
7		* the License. You may obtain a copy of the License at
8		*
9		* http://www.apache.org/licenses/LICENSE-2.0
10		*
11		* Unless required by applicable law or agreed to in writing, software
12		* distributed under the License is distributed on an "AS IS" BASIS,
13		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14		* See the License for the specific language governing permissions and
15		* limitations under the License.
16		*/
17		package org.apache.jetspeed.security.impl;
18
19		import java.io.IOException;
20		import java.security.Principal;
21		import java.security.PrivilegedAction;
22
23		import javax.security.auth.Subject;
24		import javax.servlet.http.HttpSession;
25
26		import org.apache.jetspeed.PortalReservedParameters;
27		import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;
28		import org.apache.jetspeed.pipeline.PipelineException;
29		import org.apache.jetspeed.pipeline.valve.AbstractValve;
30		import org.apache.jetspeed.pipeline.valve.SecurityValve;
31		import org.apache.jetspeed.pipeline.valve.ValveContext;
32		import org.apache.jetspeed.request.RequestContext;
33		import org.apache.jetspeed.security.JSSubject;
34
35		/**
36		* <p>
37		* AbstractSecurityValve
38		* </p>
39		* <p>
40		*
41		* </p>
42		* @author <a href="mailto:weaver@apache.org">Scott T. Weaver</a>
43		* @version $Id: AbstractSecurityValve.java 544402 2007-06-05 06:20:00Z taylor $
44		*
45		*/
46		public abstract class AbstractSecurityValve extends AbstractValve implements SecurityValve
47		{
48		protected PortalAuthenticationConfiguration authenticationConfiguration = null;
49
50		/**
51		*
52		* <p>
53		* getSubject
54		* </p>
55		* Should build and return a <code>javax.security.Subject</code>
56		* @param request
57		* @return Subject
58		*/
59		protected abstract Subject getSubject(RequestContext request) throws Exception;
60
61		/**
62		*
63		* <p>
64		* getUserPrincipal
65		* </p>
66		* Should build and return a <code>java.security.Principal</code> that represents the user name
67		* the Subject returned from <code>getSubject()</code>
68		* @param request
69		* @return Principal
70		* @throws Exception
71		*/
72		protected abstract Principal getUserPrincipal(RequestContext request) throws Exception;
73
74		/**
75		*
76		* <p>
77		* getSubjectFromSession
78		* </p>
79		*
80		* @param request
81		* @return javax.security.Subject or <code>null</code> if there is no servlet session attribute defined
82		* for the key <code>org.apache.jetspeed.PortalReservedParameters.SESSION_KEY_SUBJECT</code>.
83		*/
84		protected final Subject getSubjectFromSession(RequestContext request) throws Exception
85		{
86		return (Subject) request.getRequest().getSession().getAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT);
87		}
88
89		/**
90		* <p>
91		* invoke
92		* </p>
93		*
94		* <p>
95		* Uses <code>getSubject()</code> to call <code>ValveContext.invokeNext()</code> via
96		* <code>JSSubjectdoAsPrivileged()</code>. This method also takes care of setting the value of
97		* the <code>RequestContext.subject</code> property and the session attribute
98		* <code>org.apache.jetspeed.PortalReservedParameters.SESSION_KEY_SUBJECT</code>
99		* </p>
100		*
101		* @see org.apache.jetspeed.pipeline.valve.Valve#invoke(org.apache.jetspeed.request.RequestContext, org.apache.jetspeed.pipeline.valve.ValveContext)
102		* @param request
103		* @param context
104		* @throws PipelineException if the is an error encountered during any security operations.
105		*/
106		public void invoke( RequestContext request, ValveContext context ) throws PipelineException
107		{
108		if (isSessionExpired(request))
109		{
110		return; // short circuit processing and redirect
111		}
112
113		// initialize/validate security subject
114		Subject subject;
115		try
116		{
117		subject = getSubject(request);
118		}
119		catch (Exception e1)
120		{
121		throw new PipelineException(e1.getMessage(), e1);
122		}
123		request.getRequest().getSession().setAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT, subject);
124
125		// set request context subject
126		request.setSubject(subject);
127
128		// Pass control to the next Valve in the Pipeline and execute under
129		// the current subject
130		final ValveContext vc = context;
131		final RequestContext rc = request;
132		PipelineException pe = (PipelineException) JSSubject.doAsPrivileged(subject, new PrivilegedAction()
133		{
134	0	public Object run()
135		{
136		try
137		{
138	0	vc.invokeNext(rc);
139	0	return null;
140		}
141	0	catch (PipelineException e)
142		{
143	0	return e;
144		}
145		}
146		}, null);
147
148		if(pe != null)
149		{
150		throw pe;
151		}
152		}
153
154		/**
155		* Check for hard limit session expiration time out
156		*
157		* @param request
158		* @return
159		* @throws PipelineException
160		*/
161		protected boolean isSessionExpired(RequestContext request) throws PipelineException
162		{
163		if (authenticationConfiguration != null && authenticationConfiguration.isMaxSessionHardLimitEnabled())
164		{
165		HttpSession session = request.getRequest().getSession();
166		long sessionCreationTime = session.getCreationTime();
167		long currentTime = System.currentTimeMillis();
168		if ((currentTime - sessionCreationTime) > authenticationConfiguration.getMsMaxSessionHardLimit())
169		{
170		session.invalidate();
171		String redirector = request.getRequest().getContextPath() + authenticationConfiguration.getTimeoutRedirectLocation();
172		// System.out.println("logging user out " + redirector + ", " + (currentTime - sessionCreationTime) + ", " + this.msMaxSessionHardLimit);
173		try
174		{
175		request.getResponse().sendRedirect(redirector);
176		}
177		catch (IOException e)
178		{
179		throw new PipelineException(e);
180		}
181		return true;
182		}
183		else
184		{
185		// System.out.println("Not logging user out: " + (currentTime - sessionCreationTime) + ", " + this.msMaxSessionHardLimit);
186		}
187		}
188		return false;
189		}
190
191		}